[Dshield] Question on appropriate university research

Jeff Stebelton jeff.stebelton at gmail.com
Tue Sep 18 12:35:51 GMT 2007

Tom Liston had a good ISC handlers entry on this case.


Jeff Stebelton
Manager, Network Security
BISYS Fund Services
-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Stasiniewicz, Adam
Sent: Tuesday, September 18, 2007 8:14 AM
To: 'General DShield Discussion List'
Subject: Re: [Dshield] Question on appropriate university research

Interestingly enough, the simple act of port scanning is not illegal in the
US (in 2001 a federal court case, Moulton v. VC3, decided this).  But DOS
attacks (say by flooding a network with port 22 SYNs) and using exploits (to
gain unauthorized access to SSH servers) are illegal.  In addition I can see
a crafty lawyer being able to make arguments for the following two
scenarios: First, that you explicitly tell CMU not to port scan you, but
they still do (trespassing laws).  Second, that if CMU were to publish their
results and those results specify your organization and all their SSH server
(privacy laws).

But legality aside.  I agree there is a strong ethical issue here.  I think
it is only reasonable to ask IP block owners for their permission before
scanning their networks.  Not that I think IP block owners have something to
hide or that by being notified there is some sort of security gain, rather,
out of simple curtsey IP block owners should be advised that their network
is going to be the subject of research.

I would be interested to hear more about what exactly this research project
is attempting to do.  Does anyone have any more specific information about

My $0.02,
Adam Stasiniewicz

More information about the list mailing list